The ENS DAO community treasury—holding 500,000 ENS tokens and an unknown amount of ETH—is currently controlled by a single multisig. Not a 3-of-5, not a 5-of-7, but a 1-of-1. In cryptographic terms, that is a single private key. One lost seed phrase, one compromised hardware wallet, one disgruntled signer, and the entire treasury is drained. This is not a hypothetical. It is the current state of one of Ethereum’s most widely used infrastructure protocols.
Co-founder Alex Van de Sande published a proposal this week to end that dependency. The core idea is straightforward: delegate those 500,000 ENS tokens from the dormant community treasury to individual participants, dispersing voting power away from the single multisig. On the surface, this reads as a healthy step toward decentralization. But as someone who has spent the last eight years auditing token distribution algorithms and uncovering hidden backdoors in yield aggregators, I have learned that governance reforms often mask new centralization vectors. The question is not whether the 1-of-1 multisig is bad—it clearly is. The question is whether the proposed delegation framework replaces one single point of failure with another.
Context: The DAO That Runs on a Single Key
ENS (Ethereum Name Service) is the dominant naming protocol on Ethereum, responsible for mapping human-readable names to addresses. Its DAO controls the protocol’s parameters, fees, and the community treasury. Since its inception, the DAO’s treasury has been managed via a 1-of-1 multisig—a configuration that is technically a multisig but functionally identical to a single-signer wallet. This architecture was likely chosen for operational simplicity during the project’s early days. But today, with millions of dollars in assets and thousands of dependent applications, that simplicity is a liability.
The proposal by Van de Sande seeks to “activate” the dormant ENS tokens by delegating them to “individual participants”—the term used in the proposal is vague—thereby allowing those tokens to be used in governance votes. The stated goal is to reduce the centralization risk inherent in the current multisig and to increase governance participation. The tokens themselves are not being transferred out of the treasury; they remain under DAO control. Only the voting rights are delegated.
Core: A Forensic Dissection of the 1-of-1 Multisig Risk
Let me be precise. A 1-of-1 multisig means that a single address can execute any transaction on behalf of the treasury. There is no quorum, no co-signer requirement. This is not a theoretical vulnerability—it is a structural design flaw that violates the fundamental principle of defense-in-depth. During my 2020 investigation into a DeFi yield aggregator, I traced a $4.2 million theft to a similar single-key backdoor. The developers had embedded a function that allowed a single owner to withdraw any asset. The audit had missed it because it was hidden in plain view, disguised as a “multisig withdrawal” function with a threshold of 1. The exploit took less than thirty minutes to execute once the key was compromised.
The ENS treasury is currently a sitting duck for that exact attack vector. The proposal acknowledges this, calling it “just a 1-of-1 multisig.” Good. That is the first step toward fixing it. But the proposed fix—delegating voting power to individuals—does not directly address the treasury control issue. The multisig still controls the assets. Delegation only affects governance votes on matters like fee changes or protocol upgrades. If the private key is stolen, the treasury is gone regardless of who holds the voting rights.
What the proposal effectively does is separate governance voting power from treasury execution power. That is an improvement, but an incomplete one. The multisig itself must be replaced with a true multi-signature setup—at minimum a 3-of-5—before the treasury can be considered secure. The proposal does not mention changing the multisig threshold. This is a critical gap.
Furthermore, the delegation mechanism itself introduces new risks. The proposal uses the generic term “individual participants” without specifying selection criteria. If the tokens are delegated to a small cluster of known community figures—say, three to five individuals—those few will collectively control a significant voting bloc. This can lead to a new form of centralized influence, where a small group effectively dictates governance outcomes. I have seen this pattern before: in 2017, during an ICO audit, I discovered that the token distribution algorithm heavily favored insiders through a lack of vesting restrictions. The result was a concentration of power that allowed early participants to dominate governance once the token was live. The ENS proposal risks replicating that dynamic if the delegate list is too narrow or lacks transparency.
Another concern is the lack of an expiration or recall mechanism. Delegation should not be permanent. The DAO must be able to revoke delegation if a delegate becomes inactive, hostile, or compromised. Without a clear on-chain mechanism for re-delegation, the dormant tokens could transition from a single multisig to a small oligarchy. That is not decentralization; it is a change of custodians.
Contrarian: What the Bulls Got Right
Critics will say this proposal is too timid—that it does not go far enough because it leaves the multisig in place. They are not wrong. But dismissing the proposal outright ignores an important reality: any step away from a 1-of-1 multisig is a step toward resilience. The current setup is indefensible. The proposal at least starts a conversation about how to distribute power. The activation of dormant voting tokens could increase participation from the broader community, which has historically been low. If structured correctly—with transparent delegate selection, term limits, and on-chain revocation—this model could serve as a template for other DAOs stuck in similar single-key traps.
The bulls are also correct that the proposal does not require a token transfer, meaning no market pressure from liquidating the treasury. The tokens remain under DAO control. The only change is who gets to vote with them. That is a low-risk governance experiment that can be reversed if it fails.
Takeaway: The Proposal Is a Necessary First Step, But Don’t Stop Here
The ENS DAO is waking up to its governance vulnerabilities. The 1-of-1 multisig is a relic of a simpler era, and it is good that leadership is acknowledging it. But the proposal must be treated as a starting point, not a solution. The multisig threshold itself must be increased. Delegation must be transparent, revocable, and distributed. The community must demand on-chain receipts for delegate selection, not just a forum post. Hype evaporates; receipts remain. And ledger balances do not lie; they only wait for the right key to move them.
Every DAO that holds real value should audit its own governance architecture today. If your treasury is controlled by a single signer, you are not decentralized. You are a sitting target. The ENS proposal is a chance to change that—but only if the community insists on a full fix, not a cosmetic patch.